The Ashimmy Blog

I have been reading some more on this 3rd party patch from ZERT.  Reading the ZERT Manifesto, it would appear that they are serious about providing protection for 0-day exploits. It would also appear that this is not a group that was formed for profit in releasing these patches.  At the very least, not a commercial entity.  Now the only commercial entity that has done 3rd party patches that I know of is eEye.  I have been thinking that if there was a situation where I was going to consider deploying a 3rd party patch, would I want to use one from a non-commercial, non-profit type of organization or a commercial entity such as eEye?  I know Ross Brown of eEye reads this blog.  I would be interested in what Ross thinks.  The obvious answer from Ross is the commercial entity.  However, give me some good reasons why. 

Is there a place where these two types of entities work together so that there is one 3rd party patch, tested and approved by non-commercial and commercial entities alike. I think 3rd party patches to be successful are going to have to be rarely used and of top quality. It should be interesting to see what type of 3rd party patch provider you would prefer.  Maybe we can get someone from ZERT and eEye on the podcast one night.  Anyway, which would you use?